Data security in philanthropy: Why ISO 27001 certification is the new standard

Good grant programs are built on trust. Applicants share financial details, personal circumstances and sensitive organisational data in good faith, and expect it to be handled with care.

But as cyber threats targeting nonprofits and public-sector entities grow more sophisticated, good intentions are no longer enough. It’s becoming more important than ever to have a strong security framework, and to ensure your software vendors have one too.

ISO 27001 certification is increasingly becoming the answer.

What is ISO 27001 certification?

ISO 27001 is the internationally recognised standard for information security management. At its core, it requires organisations to establish and maintain an information security management system (ISMS).

This means creating a structured, organisation-wide approach to identifying risks to sensitive data and managing them systematically. The ISMS covers people, processes and technology, and requires ongoing review rather than a one-time fix.

The current version, ISO/IEC 27001:2022, updated the standard to include expanded controls around cloud security, cybersecurity threat intelligence and data privacy, reflecting the realities of how modern software operates.

Globally, the number of valid ISO 27001 certificates nearly doubled between 2023 and 2024, jumping from 48,671 to 96,709. That surge reflects a growing consensus: in a world of escalating data risk, a formal, audited security management system is the standard that stakeholders increasingly expect.

Why it matters for grantmaking

Grant programs handle some of the most sensitive data in the social sector: tax records, bank details, identity documents, program financials and personal narratives from vulnerable communities. A breach will damage the very important level of trust that grantmaking relies upon.

Gartner’s 2024 Global Software Buying Trends report found that 48% of software buyers now consider security the most important feature when purchasing new software, a figure that reflects how seriously organisations are considering the risks. For grant managers evaluating platforms, security credentials have moved from a nice-to-have to a procurement requirement.

That shift is also visible in funder expectations. As grant programs become more accountable to institutional funders, government bodies and international partners, demonstrating a credible security posture is part of due diligence.

In the US, SOC 2 has historically been the more common benchmark, but ISO 27001 is globally recognised and carries significant weight in international procurement, making it particularly relevant for programs that operate across borders or receive funding from global sources.

Good Grants holds both ISO 27001 and SOC 2 certifications, meaning programs with funders or partners can point to credentials that speak their language.

What the ISO 27001 certification process involves

For software vendors, the ISO 27001 certification process typically involves:

• Defining the scope of the ISMS and conducting a risk assessment
• Implementing security controls drawn from the standard’s 93-control Annex A framework
• Running internal audits and management reviews to validate the system
• Undergoing a two-stage external audit by an accredited certification body
• Maintaining annual surveillance audits to retain certification

It’s a rigorous process, and that is precisely the point. Unlike self-reported security claims, ISO 27001 certification requires independent verification. When a vendor holds a current certificate, it signals that their security practices have been examined and confirmed by a qualified third party.

Ask the right questions, ask for proof

When evaluating or renewing your grant management software, don’t just ask whether a vendor has security certifications, but also ask for the documentation. A credible vendor should be able to provide a current ISO 27001 certificate, recent penetration testing results and a clear explanation of how they handle data residency, breach notification and access controls.

If a vendor is hesitant to share these, that tells you something important. (Need help with your questions? Our practical security checklist for grant programs includes a section on vendor due diligence that can help structure those conversations.)

What to look for in ISO 27001 software

Not all grant management platforms are built to the same standard. When assessing your options, look for platforms that hold a current ISO 27001 certificate (not just a claim of compliance), offer data residency options so your data stays in the right region, support role-based access controls and multi-factor authentication, and can provide evidence of regular independent security audits.

For example, Good Grants is ISO 27001 certified and holds the certification alongside PCI-DSS attestation. Its security architecture is built to meet the requirements of the standard. And notably, our ISO 27001 certificate is available on request, not tucked away in a sales deck.

Security as a grantmaking value

Grantmakers talk a lot about trust: with communities, with applicants, with funders. Data security is one of the most concrete expressions of that trust. Treating an applicant’s sensitive information with the same care as their funding relationship serves as an important signal of how your program operates.

ISO 27001 certification, and the ISMS definition it’s built on, provides the structure to turn that commitment into something auditable and demonstrable. As the standard for information security management systems, it’s increasingly the baseline that serious programs, and their software partners, are expected to meet.